Skip to content

Merge pull request #1101 from myrotvorets/renovate/github-codeql-acti… #3741

Merge pull request #1101 from myrotvorets/renovate/github-codeql-acti…

Merge pull request #1101 from myrotvorets/renovate/github-codeql-acti… #3741

Workflow file for this run

name: Docker CI
on:
schedule:
- cron: '0 10 * * *'
push:
branches:
- master
paths-ignore:
- '.github/**'
- 'test/**'
- '!.github/workflows/docker.yml'
tags:
- '*.*.*'
pull_request:
branches:
- master
paths-ignore:
- '.github/**'
- 'test/**'
- '!.github/workflows/docker.yml'
workflow_dispatch:
jobs:
docker:
if: github.event_name != 'push' || !contains(github.event.head_commit.message, '[ci skip]')
name: Build Docker image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=myrotvorets/psb-api-identigraf-decoder
VERSION=noop
if [ "${{ github.event_name }}" = "schedule" ]; then
VERSION=nightly
elif [[ $GITHUB_REF == refs/tags/* ]]; then
VERSION=${GITHUB_REF#refs/tags/}
elif [[ $GITHUB_REF == refs/heads/* ]]; then
VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
if [ "${{ github.event.repository.default_branch }}" = "$VERSION" ]; then
VERSION=edge
fi
elif [[ $GITHUB_REF == refs/pull/* ]]; then
VERSION=pr-${{ github.event.number }}
fi
TAGS="${DOCKER_IMAGE}:${VERSION}"
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
MINOR=${VERSION%.*}
MAJOR=${MINOR%.*}
TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
elif [ "${{ github.event_name }}" = "push" ]; then
TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
fi
echo ::set-output name=image::${DOCKER_IMAGE}
echo ::set-output name=primaryTag::${DOCKER_IMAGE}:${VERSION}
echo ::set-output name=version::${VERSION}
echo ::set-output name=tags::${TAGS}
echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
if \
[ "${{ github.event_name }}" != "pull_request" ] || \
([ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.event.pull_request.base.repo.full_name }}" ] && [ "${{ github.event.sender.login }}" != "dependabot[bot]" ]) \
then
echo ::set-output name=secrets::yes
else
echo ::set-output name=secrets::
fi
- name: Update .npmrc
run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > .npmrc.local
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build and push
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
load: true
pull: true
push: false
tags: ${{ steps.prep.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
file: ./Dockerfile
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.version=${{ steps.prep.outputs.version }}
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
- name: Determine security scan parameters
id: scanparams
run: |
if [ "${{ steps.prep.outputs.secrets }}" == "yes" ]; then
echo ::set-output name=format::template
echo ::set-output name=template::@/contrib/sarif.tpl
echo ::set-output name=output::trivy-results.sarif
else
echo ::set-output name=format::table
echo ::set-output name=template::
echo ::set-output name=output::
fi
- name: Security Scan
uses: aquasecurity/trivy-action@master
id: scan
with:
image-ref: ${{ steps.prep.outputs.primaryTag }}
format: ${{ steps.scanparams.outputs.format }}
template: ${{ steps.scanparams.outputs.template }}
output: ${{ steps.scanparams.outputs.output }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
with:
sarif_file: trivy-results.sarif
if: steps.scanparams.outputs.output != ''
- name: Login to DockerHub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_LOGIN }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Push the image
run: docker push --all-tags "${{ steps.prep.outputs.image }}"
if: github.event_name != 'pull_request'